I installed OpenVPN on my main notebook to test and it connects fine.
I installed OpenVPN on my 2nd notebook and it says that the certificate has expired!

No matter what I do, I don't come any further. I have de-installed and re-installed the client on both PCs, I have deleted the certificates out of the Windows Cert Store and I deleted the config files. Re-installed, same results. I then deleted the OpenVPN server and re-created it, then the users, then exported the set-up file and re-installed on the clients. Same results.

I also created a second user, it installed and worked on the users main PC, their 2nd PC complained that the certificate had expired!

Interestingly, I exported the Android confiugration and it works fine there.

I added the option to the config file and I am back to just the original error of an expired certificate.

I have checked the time and location settings, all PCs and server are in the same time zone and show the same time.
The PCs are connecting 1 at a time, so it isn't a spurious error message, that 2 PCs are signing on with the same certificate and user at the same time - in fact, the server is configured to allow multiple simultaneous connection from the same user.

The notebook that doesn't work is private, therefore it has a different username to the company notebook... I tried adding a new account with the same name and voilá, OpenVPN stopped saying the certificate has expired...

So, it has nothing to do with the certificate file or the configuration, but it seems to be a "bad" error message, when the local account name isn't the same as the account name used to log onto the corporate network...

So, wrong error message and checking in the wrong place? With OpenVPN, I am connecting from a PC to the server using credentials that are valid on the network, so it shouldn't, IMHO, have anything to do with the local username... The OpenVPN username and password are correct and correspond to the certificate.

I haven't had time to test this further - after changing to a user account on the PC with the same name, the error disappeared, but it still didn't connect, I am now looking into that. But it still doesn't solve the initial problem. Is this expected behaviour? It seems a bit odd, plus Android doesn't have this problem - I am "logged" on to that with my GMail account, not my corporate account...

So, it has nothing to do with the certificate file or the configuration, but it seems to be a "bad" error message, when the local account name isn't the same as the account name used to log onto the corporate network...

i don't understand what that has to do with anything , i'm using openvpn profiles for 4-5 different places with different username/passwords then the account i'm logged in on my laptop.

I can only give information as it appears. Using a normal local account with a name differen to the domain account, the certificate is "expired". Using an account with the same name as the domain account, the certificate is not expired...

I had been using the setting to store the key in the Windows Certificate Manager, instead of local files.

This seems to work on PCs where the local user is in the domain, but not when the user is logged on with a local account. I changed the settings in the package manager on the pfSense to just use local files and et voilá it connected first time!

So there seems to be some problem with the way that the Windows Certificate Manager and OpenVPN are interacting, when local account name doesn't match the VPN login (we use RADIUS on the pfSense to authenticate users).

Once the name matches, the error about the exired certifivate goes away, but it still can't connect (server log says that the key was not transmitted / "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]").

Once OpenVPN is configured to use local certificate files, instead of the Windows Certificate Manager, there are no errors and OpenVPN can connect without problem.

Not 100% ideal, but at least we can move forward with implementing pfSense now.